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Abstract  Multi-robot  networks  use  wireless  communica¬ 
tion  to  provide  wide-ranging  services  such  as  aerial  surveil¬ 
lance  and  unmanned  delivery.  However,  effective  coordina¬ 
tion  between  multiple  robots  requires  trust,  making  them 
particularly  vulnerable  to  cyber- attacks.  Specifically,  such 
networks  can  be  gravely  disrupted  by  the  Sybil  attack,  where 
even  a  single  malicious  robot  can  spoof  a  large  number  of 
fake  clients.  This  paper  proposes  a  new  solution  to  defend 
against  the  Sybil  attack,  without  requiring  expensive  crypto¬ 
graphic  key-distribution.  Our  core  contribution  is  a  novel  al¬ 
gorithm  implemented  on  commercial  Wi-Fi  radios  that  can 
“sense”  spoofers  using  the  physics  of  wireless  signals.  We 
derive  theoretical  guarantees  on  how  this  algorithm  bounds 
the  impact  of  the  Sybil  Attack  on  a  broad  class  of  multi¬ 
robot  problems,  including  locational  coverage  and  unmanned 
delivery.  We  experimentally  validate  our  claims  using  a  team 
of  AscTec  quadrotor  servers  and  iRobot  Create  ground  clients, 
and  demonstrate  spoofer  detection  rates  over  96%. 


1  Introduction 

Multi-robot  networks  rely  on  wireless  communication  to  en¬ 
able  a  wide  range  of  tasks  and  applications:  coverage  [32,  5, 
36],  disaster  management  [6],  surveillance  [3],  and  consen¬ 
sus  [31]  to  name  a  few.  The  future  promises  an  increasing 
trend  in  this  direction,  such  as  delivery  drones  which  trans¬ 
port  goods  (e.g.,  Amazon  Prime  Air  [1])  or  traffic  rerout¬ 
ing  algorithms  (e.g.,  Google  Maps  Navigation)  that  rely  on 
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broadcasted  user  locations  to  achieve  their  goals.  Effective 
coordination,  however,  requires  trust.  In  order  for  these  multi¬ 
robot  systems  to  perform  their  tasks  optimally,  transmitted 
data  is  often  assumed  to  be  accurate  and  trustworthy;  an  as¬ 
sumption  that  is  easy  to  break.  A  particularly  challenging 
attack  on  this  assumption  is  the  so-called  “Sybil  attack.” 

In  a  Sybil  attack  a  malicious  agent  generates  (or  spoofs) 
a  large  number  of  false  identities  to  gain  a  disproportionate 
influence  in  the  network. '  These  attacks  are  notoriously  easy 
to  implement  [38]  and  can  be  detrimental  to  multi-robot  net¬ 
works.  An  example  of  this  is  coverage,  where  an  adversarial 
client  can  spoof  a  cluster  of  clients  in  its  vicinity  in  order  to 
create  a  high  local  demand,  in  turn  denying  service  to  legit¬ 
imate  clients  (Figure  1).  Although  a  vast  body  of  literature 
is  dedicated  to  cybersecurity  in  general  multi-node  networks 
(e.g.,  a  wired  LAN),  the  same  is  not  true  for  multi-robot  net¬ 
works  [17,  35],  leaving  them  largely  vulnerable  to  attack. 
This  is  because  many  characteristics  unique  to  robotic  net¬ 
works  make  security  more  challenging;  for  example,  tradi¬ 
tional  key  passing  or  cryptographic  authentication  is  difficult 
to  maintain  due  to  the  highly  dynamic  and  distributed  nature 
of  multi-robot  teams  where  clients  often  enter  and  exit  the 
network. 

This  paper  addresses  the  challenge  of  guarding  against 
Sybil  attacks  in  multi-robot  networks.  We  focus  on  the  gen¬ 
eral  class  of  problems  where  a  group  of  server  robots  coordi¬ 
nate  to  provide  some  service  using  the  broadcasted  locations 
of  a  group  of  client  robots.  Our  core  contribution  is  a  novel 
algorithm  that  analyzes  the  received  wireless  signals  to  de¬ 
tect  the  presence  of  spoofed  clients  spawned  by  adversaries. 
We  call  this  a  “virtual  spoofer  sensor”  as  we  do  not  use  spe¬ 
cialized  hardware  nor  encrypted  key  exchange,  but  rather  a 
commercial  Wi-Fi  card  and  software  to  implement  our  so¬ 
lution.  Our  virtual  sensor  leverages  the  rich  physical  infor¬ 
mation  already  present  in  wireless  signals.  At  a  high  level, 
as  wireless  signals  propagate,  they  interact  with  the  envi¬ 
ronment  via  scattering  and  absorption  from  objects  along 
the  traversed  paths.  Carefully  processed,  these  signals  can 
provide  a  unique  signature  or  “spatial  fingerprint”  for  each 
client,  measuring  the  power  of  the  signal  received  along  each 
spatial  direction  (Fig.  2).  Unlike  message  contents  such  as 
reported  IDs  or  locations  which  adversaries  can  manipulate, 
spatial  fingerprints  rely  on  physical  signal  interactions  that 
cannot  be  exactly  predicted  [15,  27]. 

Using  these  derived  fingerprints,  we  show  that  a  confi¬ 
dence  mefric,  a  €  (0, 1)  can  be  obtained  for  each  client  in 
the  network.  We  prove  that  these  confidence  mefrics  have  a 
desirable  properly  where  legitimate  clients  have  an  expected 
confidence  metric  close  to  one,  while  spoofed  clients  will 
have  an  expected  confidence  mefric  close  to  zero.  A  par¬ 
ticularly  attractive  feature  of  confidence  metric  a  is  that  it 

*  Please  refer  to  [7,  30]  for  a  detailed  treatment  of  this  class  of  cyber 
attacks. 
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Fig.  1 :  Sybil  Attack  on  Coverage:  A  server  robot  provides  locational 
coverage  to  legitimate  clients  when  no  attack  is  present.  In  a  Sybil  at¬ 
tack,  an  adversary  spoofs  many  fake  clients  to  draw  away  coverage 
from  the  legitimate  clients. 

can  be  readily  integrated  into  a  wide  variety  of  multi-robot 
controllers.  In  particular,  we  demonstrate  two  natural  meth¬ 
ods  to  integrate  a  into  these  controllers:  either  as  a  contin¬ 
uous  per-client  weighting  function  or  as  a  means  to  clas¬ 
sify  clients  discretely  into  two  groups  as  either  legitimate 
or  spoofed.  More  importantly,  we  prove  analytical  bounds 
on  a  that  provably  limit  the  influence  of  adversarial  clients 
on  the  performance  of  these  controllers.  We  integrate  our 
confidence  metric  with  multi-rohot  controllers  in  the  con¬ 
text  of  two  well-known  problems:  locational  coverage  algo¬ 
rithm  [5,  36]  and  the  drone  delivery  [1,  22,  33]. 

We  provide  an  extensive  experimental  evaluation  of  our 
theoretical  claims  using  a  heterogeneous  team  of  air/ground 
robots  consisting  of  two  AscTec  Hummingbird  platforms 
and  ten  iRobot  Create  platforms.  We  conduct  our  experi¬ 
ments  in  general  indoor  settings  with  randomly  placed  clients 
Our  results  in  both  the  coverage  and  vehicle  routing  prob¬ 
lems  demonstrate  a  spooler  detection  rate  of  96%.  In  ad¬ 
dition,  for  the  case  of  coverage  we  find  thaf  the  converged 
positions  of  the  service  robots  is  on  average  3  cm  from  opti¬ 
mal  even  when  more  than  75%  of  total  clients  in  the  network 
are  spoofed. 

Contributions  of  this  paper:  We  develop  a  virtual  sensor 
for  spoofing  detection  which  provides  performance  guaran¬ 
tees  in  the  presence  of  Sybil  attacks  and  is  applicable  to  a 
broad  class  of  problems  in  distributed  robotics.  We  show  that 
the  influence  of  spoolers  is  analytically  bounded  under  our 
system  in  two  contexts:  1)  locational  coverage,  where  each 
robot  providing  coverage  remains  within  a  bounded  radius 
of  its  optimal  position  even  in  the  presence  of  adversarial 
clients.  2)  unmanned  delivery,  where  the  total  path  length 
traversed  by  the  service  vehicle  remains  bounded  relative  to 
its  value  in  the  absence  of  an  attack.  Our  theoretical  results 
are  validated  extensively  through  experiments  in  diverse  set¬ 
tings. 


2  Related  Work 

The  problem  of  Sybil  attacks  has  been  studied  in  general 
multi-node,  often  static,  networks,  and  many  tools  have  been 
developed  for  these  settings.  Past  work  falls  under  three  cat¬ 
egories:  (1)  Cryptographic  authentication  schemes  can  be 
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Fig.  2:  Spatial  Fingerprints:  A  quadrotor  server  measures  the  direc¬ 
tional  signal  strength  of  each  client  (here,  simplified  to  2-D).  The  blue 
client  has  one  line-of-sight  peak;  the  other,  2  signal  paths. 

used  to  prevent  Sybil  attacks  (Table  7  in  [44]).  These  re¬ 
quire  trusted  central  authorities  and  computationally  expen¬ 
sive  distributed  key  management,  to  account  for  dynamic 
clients  that  enter  and  leave  the  network  [44].  (2)  Non  cryp¬ 
tographic  techniques  in  the  wireless  networking  community 
leverage  wireless  physical-layer  information  to  detect  spoofed 
client  identities  or  falsified  locations  [18,  48,  46,  47,  45]. 
These  rely  on  bulky  and  expensive  hardware  like  large  multi¬ 
antenna  arrays,  that  cannot  be  mounted  on  small  robotic 
platforms.  (3)  Recent  techniques  have  attempted  to  use  wire¬ 
less  signal  information  like  received  signal  strength  (RSSI)  [26, 
42,  34]  and  channel  state  information  [24].  Such  techniques 
need  clients  to  remain  static,  since  mobility  can  cause  wire¬ 
less  channels  to  fluctuate  rapidly  [2].  In  addition,  they  are 
susceptible  to  power-scaling  attacks,  where  clients  scale  power 
differently  to  imitate  different  users.  In  sum,  the  above  sys¬ 
tems  share  one  or  more  of  the  following  characteristics  mak¬ 
ing  them  ill-suited  to  multi-robot  networks:  (1)  require  com¬ 
putationally  intensive  key  management;  (2)  rely  on  bulky 
and  expensive  hardware;  (3)  assume  static  networks.  Indeed 
past  work  has  highlighted  the  gravity  and  apparent  spar¬ 
sity  of  solutions  to  cyber-security  threats  in  multi-robot  net¬ 
works  [17,  35,  4]. 

Unlike  past  work,  our  solution  has  three  attributes  that 
particularly  suit  multi-robot  networks.  (1)  It  captures  phys¬ 
ical  properties  of  wireless  signals  and  therefore  does  not 
require  distributed  key  management.  (2)  It  relies  on  cheap 
commodity  Wi-Fi  radios,  unlike  hardware-based  solutions  [46, 
48].  (3)  It  is  robust  to  client  mobility  and  power-scaling  at¬ 
tacks. 

Finally,  our  system  builds  on  Synthetic  Aperture  Radar 
(SAR)  to  construct  signal  fingerprints  [10].  SAR  has  been 
widely  used  for  radar  imaging  [10,  19]  and  indoor  position¬ 
ing  [21,  20,  41,  13].  In  contrast,  this  paper  builds  upon  SAR 
to  provide  cyber- security  to  multi-robot  networks.  In  doing 
so,  it  provides  theoretical  security  guarantees  that  are  val¬ 
idated  experimentally.  These  integrate  readily  with  perfor¬ 
mance  guarantees  of  existing  multi-robot  controllers,  like 
the  well-known  robotic  coverage  controllers  [5,  36]  as  shown 
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in  Sec.  §6  and  drone  delivery  controllers  [22,  33]  as  de¬ 
scribed  in  Sec.  §7. 

3  Problem  Statement 

This  paper  focuses  on  problems  where  the  knowledge  of 
agent  positions  facilitates  some  collaborative  task.  Specifi¬ 
cally,  it  assumes  two  groups  of  agents,  “clients”  requiring 
some  type  of  location-based  service  such  as  coverage  or 
goods  delivery  and  “servers”  whose  positions  are  optimized 
in  order  to  provide  the  service  to  its  clients.  Let  P  :=  {pi , . . . , 
Pc  }  denote  the  client  positions  in  .  Let  X  :=  {xi, . . .  ,Xm} 
be  the  positions  of  the  servers  in  and  the  notation  [m]  = 
to}  denote  their  indices.  We  consider  the  case  where 
a  subset  of  the  clients,  S  C  P  (with  s  :=  |S'|)  are  “spoofed” 
clients. 

Definition  1  (Spoofed  Client)  A  single  malicious  client  may 
generate  multiple  unique  identities,  each  with  a  fabricated 
position.  Each  generated,  or  “spawned”  identity  is  consid¬ 
ered  a  spoofed  client.  By  spoofing  multiple  clients,  the  ma¬ 
licious  client  gains  a  disproportionate  influence  in  the  net¬ 
work.  All  clients  which  are  not  spoofed  are  considered  legit¬ 
imate  clients. 

Threat  Model:  Our  threat  model  considers  one  or  more  ad¬ 
versarial  robot  clients  with  one  Wi-Fi  antenna  each.  The  ad¬ 
versaries  can  he  mobile  and  scale  power  on  a  per-packet  ba¬ 
sis.  We  only  consider  adversarial  clients.^  Adversarial  clients 
perform  the  “Sybil  Attack”  to  forge  packets  emulating  s 
non-existent  clients,  where  s  can  exceed  the  number  of  le¬ 
gitimate  clients.  More  formally: 

Definition  2  (Sybil  Attack)  Define  a  network  of  client  and 
server  positions  as  P  U  A,  where  a  subset  S  of  the  clients 
are  spoofed,  such  that  P  =  S  \J  S.  We  assume  that  set  P  is 
known  hut  knowledge  of  which  clients  are  spoofed  (i.e.,  in 
S)  is  unknown.  This  attack  is  called  a  “Sybil  Attack.” 

To  counter  the  Sybil  attack,  this  paper  has  two  objec¬ 
tives.  First,  we  find  a  relation  capturing  directional  signal 
strength  between  a  client  i  and  a  server  1.  We  seek  a  map¬ 
ping  Fii  :  [0,  X  [0,  27r]  i— >■  R  such  that  for  any  3D  di¬ 
rection  {9,4))  defined  in  Fig.  4,  fhe  value  Fii{6,4))  is  fhe 
power  of  the  received  signal  from  client  i  along  that  direc¬ 
tion.  Using  this  mapping,  or  “fingerprint”,  our  first  problem 
is  to  derive  a  confidence  metric  whose  expectation  is  prov- 
ahly  bounded  near  1  for  legitimate  clients  and  near  0  for 
spoofed  clients.  Further,  we  wish  to  find  fhese  bounds  an¬ 
alytically  from  problem  parameters  like  the  signal-to-noise 
ratio  of  the  received  wireless  signal.  We  summarize  this  ob¬ 
jective  as  Problem  1  below: 

^  The  case  of  adversarial  server  robots  is  left  for  future  work  al¬ 
though  many  of  the  concepts  in  the  current  paper  are  extensible  to  this 
case  as  well. 


Problem  1  (Spoofer  Detection)  Let  P)  be  the  set  of  finger¬ 
prints  measured  from  all  clients  j  G  [c]  and  servers  I  G 
[to]  in  the  neighborhood,  A/],  of  client  i?  Here,  a  neigh¬ 
borhood  of  client  i,  J\fi,  are  all  agents  that  can  receive  Wi¬ 
Fi  transmissions  sent  by  client  i.  Using  P^,  derive  a  con¬ 
fidence  metric  afiPi)  G  (0,1)  and  a  threshold  uji(crf)  > 

0  where  af  represents  error  variances  such  as  the  signal- 
to-noise  ratio  that  are  assumed  to  be  given.  Find  Wi(-)  to 
have  the  provable  property  of  differentiating  spoofed  clients 
whereby  spoofed  clients  are  bounded  below  this  threshold, 
i.e.,  E\aj\  <  oj,  and  legitimate  clients  are  bounded  above 
this  threshold  E[ai]  >  1  —  w. 

Our  second  objective  is  to  apply  our  spoofer  detection 
method  as  weights  that  can  bound  the  influence  of  spoofers 
in  multi-robot  problems.  Specifically,  we  consider  the  well- 
known  coverage  problem  in  [5,  36].  We  show  that  by  inte¬ 
grating  the  confidence  metric  from  Problem  1 ,  we  can  ana¬ 
lytically  bound  the  error  in  performance  caused  by  spoofed 
clients  in  the  network.  We  consider  the  coverage  problem 
where  an  importance  function  is  defined  over  an  environ- 
menf  and  where  fhe  positions  of  the  clients  correspond  to 
peaks  in  the  importance  function.  Here,  servers  position  them¬ 
selves  to  maximize  their  proximity  to  these  peaks,  to  im¬ 
prove  their  coverage  over  client  robots.  If  Cy  =  {a:* ,  •  •  • , 
is  the  set  of  server  positions  optimized  by  the  coverage  con¬ 
troller  with  zero  spoofers,  we  wish  to  guarantee  that  server 
positions  optimized  with  spoofers  present,  is  “close” 
to  Cy.  We  state  this  second  objective  more  specifically  as 
Problem  2  below: 

Problem  2  (Sybil-resillience  in  Multi-Robot  Coverage)  Con¬ 
sider  a  locational  coverage  problem  where  an  importance 
function  p{q)  >  0  is  defined  over  an  environment  Q  C 
and  q  G  Q.  Specifically,  consider  an  importance  function 
that  can  be  decomposed  into  terms,  pfiq),  depending  on 
each  client’s  position,  i  G  [c]  (for  example,  each  client  posi¬ 
tion  corresponds  to  apeak),  i.e.,  p{q)  =  pi{q)  +  Pc{q)- 
Let  Cv  =  {a;}, . . . ,  x^}  be  the  set  of  server  positions  re¬ 
turned  by  an  optimization  of  p{q)  over  X,  where  there  are 
zero  spoofed  clients  in  the  network.  Under  a  Sybil  attack,  let 
Cvc,  =  {a;i ,  ■  •  ■ ,  Xm]  be  the  set  of  server  positions  returned 
by  an  optimization  of  an  a-modified  importance  function 
p{q)  —  aipi{q)  -f  . . .  -f  acPc{q)  where  the  importance 
weight  terms  satisfy  the  bounds  stated  in  Problem  1 .  We 
wish  to  find  an  e{P)  >  0  such  that  the  set  Cy^  is  within 
a  distance  e{P)  to  Cy.  Cy^  is  within  a  distance  e{P)  to 
Cv  if  Vx  G  Cva  there  exists  a  unique  y  G  Cy  where 
dist(a;,y)  <  £(P).  Here,  P  is  a  set  of  problem  parameters 
that  we  wish  to  find. 

^  Detecting  if  a  client  i  is  spoofed  becomes  easier  given  more  servers 
communicating  with  i  (i.e.,  a  larger  neighborhood  A/]).  But  even  with 
a  single  server,  this  determination  can  be  made.  A  theoretical  treatment 
of  this  point  is  given  in  Sec.  §5  and  experimental  results  (§9.1)  use  as 
little  as  one  server. 
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Intuitively,  solutions  to  Problem  2  guarantee  that  under  a 
Sybil  attack,  all  server  positions  computed  using  an  a-modified 
coverage  controller  are  within  a  computable  distance  t{V) 
from  their  optimal  positions  (i.e.,  in  the  absence  of  spoofers). 
Sec.  §6  derives  a  closed-form  for  e{'P)  and  shows  the  set 
V  of  problem  parameters  to  be  the  number  of  spoofers,  the 
footprint  of  the  environment  covered,  and  signal  noise. 

Finally,  Problem  3  below  shows  that  the  a  weights  can 
be  used  to  derive  discrete  decision  variables  for  selecting 
what  clients  to  service,  for  example,  in  a  drone  delivery  con¬ 
text.  Here,  the  goal  is  to  bound  the  difference  between  the 
resulting  expected  path  length  and  the  expected  path  length 
in  the  optimal  case  of  no  spoofed  clients.  For  consistency, 
we  will  refer  to  the  delivery  drone  as  a  “server”  throughout. 

Problem  3  (Sybil-resillience  in  Drone  Delivery)  Consider 
the  graph  G  =  {V,E)  where  vertices  V  =  P  VJ  x  are  client 
and  depot  positions  P  and  x  respectively,  and  edges  Ci  G  E 
connect  the  vertex  of  every  client  pi  G  P  to  the  depot  vertex 
X,  i.e.,  a  star  graph  where  x  is  the  inner  vertex.  Note  that  we 
consider  the  case  for  one  server  and  several  clients  where  the 
goal  of  the  server  is  to  serve  each  client,  by  iteratively  pick¬ 
ing  up  its  package  at  the  depot  location  x  and  transporting  it 
to  the  client’s  location  p  G  P. 

Let  the  path  cost  for  each  edge  d  :  (E)  — K.  be  the  Eu¬ 
clidean  distance  of  that  edge  in  G.  We  wish  to  show  that 
an  indicator  function  defined  over  the  ai  from  Prob¬ 
lem  1  can  be  used  as  a  decision  variable  to  select  a  subset 
of  clients  P*  C  P  to  be  serviced  by  the  delivery  vehicle. 
The  resulting  subset  of  clients  P*  has  the  property  that  the 
expected  path  length  computed  over  this  subset  of  clients, 
d{pi,x),  is  the  same  to  within  a  computable 
bound,  as  the  expected  path  length  computed  over  only  le¬ 
gitimate  clients  Liegit  =  ^p^,=p\s  d{pi,  x).  In  other  words, 
we  wish  to  find  a  set  of  problem  parameters  V  and  a  bound 
5{V)  such  that  \E[L]  -  S[Liegit]|  <  5{V). 


4  Fingerprints  to  Detect  Malicious  Clients 

Here  we  construct  a  fingerprint,  a  directional  signal  strength 
profile  for  a  communicating  server-client  pair.  Our  choice 
of  signal  fingerprints  have  many  desirable  properties  that 
enable  us  to  derive  a  robust  spoof-detection  metric;  they 
1 )  capture  directional  information  of  the  transmitted  signal 
source  and  thus  are  well-suited  for  flagging  falsely  reported 
client  positions,  2)  can  be  obtained  for  a  single  server-client 
pair,  unlike  location  estimation  techniques  such  as  triangula¬ 
tion  which  require  multiple  servers  to  coordinate,  3 )  cannot 
be  manipulated  by  the  client,  since  the  occurrence  of  each 
signal  path  is  due  to  environment  reflections,  4)  are  applica¬ 
ble  in  complex  multipath  environments  where  a  transmitted 
signal  is  scattered  off  of  walls  and  objects; since  these  scat¬ 
tered  signals  manifest  themselves  as  measurable  peaks  in 


the  fingerprint,  complex  multipath  contributes  significantly 
to  fingerprint  uniqueness. 

We  construct  fingerprints  using  wireless  channels  h,  com¬ 
plex  numbers  measurable  on  any  wireless  device  character¬ 
izing  the  attenuation  in  power  and  the  phase  rotation  that  sig¬ 
nals  experience  as  they  propagate  over  the  air.  These  chan¬ 
nels  also  capture  the  fact  that  wireless  signals  are  scattered 
by  the  environment,  arriving  at  the  receiver  over  (poten¬ 
tially)  several  different  paths  [40].  Fig.  3  is  an  example  2D 
schematic  of  a  wireless  signal  traversing  from  a  client  robot 
to  a  server  robot  arriving  along  two  separate  paths:  one  at¬ 
tenuated  direct  path  at  40°  and  one  reflected  at  60° .  If  the 
server  robot  had  a  directional  antenna,  it  could  obtain  a  full 
3D  profile  of  power  of  the  received  signal  (i.e.,  |iip)  along 
every  spatial  direction.  We  use  such  a  3-D  profile  as  a  “spa¬ 
tial  fingerprint”  that  can  help  distinguish  between  different 
clients. 

Unfortunately  directional  antennas  are  composed  of  large 
arrays  of  many  antennas  that  are  too  bulky  for  small  ag¬ 
ile  robot  platforms.  Luckily,  a  well-known  technique  called 
Synthetic  Aperture  Radar  [10]  (SAR)  can  be  used  to  emu¬ 
late  such  an  antenna  using  a  commodity  Wi-Fi  radio.  Its  key 
idea  is  to  use  small  local  robotic  motion,  such  as  spinning 
in-place,  to  obtain  multiple  snapshots  of  the  wireless  chan¬ 
nel  that  are  then  processed  like  a  directional  array  of  anten¬ 
nas.  SAR  can  be  Implemented  using  a  well-studied  signal 
processing  algorithm  called  MUSIC  [16]  to  obtain  spatial 
fingerprints  at  each  server  robot. 

Mathematically,  we  obtain  a  spatial  fingerprint  for  each 
wireless  link  between  a  server  I  and  client  i  as  a  matrix  P^  : 
K.  X  R  — >■  K..  For  each  spatial  path  represented  as  {9,  fi)  (see 
Fig.  4),  Eij  maps  to  a  scalar  value  representing  the  signal 
power  received  along  that  path.  More  formally: 

Fu{fi,9)  =  (1) 

Where  hii  is  a  vector  of  the  ratio  of  wireless  channel  snap¬ 
shots  between  two  antennas  mounted  on  the  body  of  the 
server  I  and  9)  =  cos{(j)  —  Bi)  sin(0  —  Fi),  A 

is  the  wavelength  of  the  signal  and  r  is  the  distance  be¬ 
tween  the  antennas,  Bi,  Fi  are  the  server’s  angular  orienta¬ 
tion,  Eig^{-)  are  noise  eigenvectors,  is  conjugate  trans¬ 
pose,  and  k  is  the  number  of  signal  eigenvectors,  equal  to 
the  number  of  paths. 

While  our  above  formulation  is  derived  from  MUSIC  [16], 
it  varies  in  one  important  way:  while  MUSIC  uses  a  single¬ 
antenna  channel  snapshot  hu,  we  use  the  channel  ratio  hu  = 
/ii between  two  antennas.  This  modification  provides 
resilience  to  intentional  power  scaling  by  the  sender  since 
scaling  his  transmit  power  by  x  yields  a  measured  ratio  hu  = 
X^iii  /(x^2ii ) ;  a  value  unaffected  by  power  scaling. 
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Fig.  3:  Example  Signal  Fingerprint:  (a)  A 

server  (x)  receives  a  client  (•)  signal  on  2 
paths:  direct  along  40°  attenuated  by  an  ob¬ 
stacle  (shaded)  and  reflected  by  a  wall  along 
60°.  (b)  is  a  corresponding  fingerprint:  peak 
heights  at  40°  and  60°  correspond  to  their 
relative  attenuations. 


Fig.  4:  3-D  Angles:  The  figure  depicts  the 
notation  for  the  azimuthal  angle  0  and  po¬ 
lar  angle  9  for  the  direct  path  from  a  ground 
client  (•)  to  aerial  server  robot  (x)  in  3  di¬ 
mensions.  More  generally,  the  set  of  all  an¬ 
gles  between  client  i  and  server  I  are  denoted 
as  <Pii,  Oil  respectively. 


Symbol 

Meaning 

m,  c,  s 

No.  of  servers,  clients,  spoofers 

Pi,  XI 

Position  of  client  i  /  server  1 

Til,  k 

Fingerprint  of  i  all,  k  peaks 

hii 

M  X  1  channel  ratios  of  i  to  / 

/(■ 

PDF  of  normal  distribution 

ff(- 

min(l,  \/2TTf{x-,  fi,  cr^)) 

K 

Constant  =  ((v^  +  ^/d)lTTp 

Oli,  pi 

confidence,  honesty  metric  of  i 

lij 

Similarity  metric  of  client  i,  j 

SNR 

Signal-to-noise  ratio 

RSSI 

Received  Signal  Strength 

2  2 

Variance  in  peak  shifts  of  Fn 

-  2  '-2 

(Tg,  u'^  plus  measurement  error 

Cvl  >  C'Va 

Coverage  centroid  of  optimal,  our 

system;  error  e  within  e 

D{Q),p(q) 

Footprint,  Mass  function 

Fig.  5:  Table  of  Most  Common  Notations 


5  Constructing  a  Client  Confidence  Metric 

Given  a  client  fingerprint  9)  for  each  client  i  relative 

to  a  robotic  server  I,  we  wish  to  generate  a  confidence  met¬ 
ric  ai  G  [0, 1]  that  approaches  1  for  legitimate  clients,  and 
0  otherwise.  We  achieve  this  by  defining  ai  as  the  product 
of  two  terms  Pi  and  7^  that  go  to  0  if  a  client  reports  a  fal¬ 
sified  location  or  has  the  same  fingerprint  as  another  client 
j  respectively.  In  particular,  Pi  is  termed  the  honesty  metric 
and  is  the  likelihood  (Eq.  (2))  that  client  i  is  indeed  along 
its  reported  direction  {pUjOu)  with  respect  to  each  server  I 
in  its  neighborhood.  The  second  term  7^  is  the  similarity 
metric  -  the  likelihood  that  client  i’s  fingerprint  as  seen  by 
server  I  is  not  unique  compared  to  that  of  a  different  client  j 
of  server  1.  Finally,  ai  is  the  product  oil)  Pi  and  2)  (1  —  7^ ) 
over  all  j  i,  which  compares  client  i’s  fingerprint  with  all 
other  clients  in  its  neighborhood  and  approaches  0  if  client 
i’s  profile  is  not  unique.  Therefore  if  either  the  honesty  term 
or  similarity  term  goes  to  0,  the  confidence  metric  ai  for 
client  i  also  approaches  zero. 

oii  =  Pi  ]^(1  -  lij)  where.  Pi  =  W  C{i  is  at  {piu9ii)\Fa) 

j^i  iGMi 

Jij  =  (2) 

leJGi 


are  normally  distributed  with  zero  mean  and  well-defined 
variance,  based  on  the  wireless  medium’s  signal-to-noise  ra¬ 
tio  (SNR): 

Lemma  1  Let  A9i,  Api  denote  the  error  between  the  az¬ 
imuthal  and  polar  angle  of  the  uncorrelated  path  of  a 
(potentially  multipath)  source  and  the  corresponding  angles 
of  the  (local)  maximum  in  the  fingerprint  F(p,  9),  over  sev¬ 
eral  uniformly  gathered  packets  (i.e.,  SAR  snapshots)  for 
9  G  (10°,  80°).  Then  A9i  and  Api  are  normally  distributed 
with  a  mean  0,  and  expected  variance  and  agt 

al  =  al  =9X^/(8MTr^r^SNR) 

Where,  A  is  the  wavelength  of  the  signal,  SNR  is  the  signal- 
to-noise  ratio  in  the  networlP,  M  is  the  number  of  packets 
per- rotation,  and  r  is  the  distance  between  the  antennas.  □ 

The  above  lemma  follows  from  well-known  Cramer-Rao 
bounds  [28,  12,  11]  shown  previously  for  linear  antenna 
movements  in  SAR  [39]  but  readily  extensible  to  circu¬ 
lar  rotations  (proof  in  supplementary  text  [14]).  Using  this 
lemma,  we  can  define  the  honesty  metric  Pi  as  the  likeli¬ 
hood  that  the  client  is  at  its  reported  location,  subject  to  this 
Gaussian  error  and  additional  measurement  error  in  reported 
locations. 


Here,  £(•)  denotes  an  event  likelihood,  {pii,9ii)  is  the  re¬ 
ported  direction  of  client  i  with  respect  to  server  I,  and  the 
neighborhood  A/)  are  servers  communicating  with  client  i. 
Defining  Honesty  and  Similarity  Metrics:  The  honesty 
metric  Pi  and  similarity  metric  77  are  derived  using  peak 
locations  in  client  fingerprints.  In  practice  however,  peaks 
may  have  slight  shifts  owing  to  noise.  Thus,  any  comparison 
between  peak  locations  must  permit  some  variance  due  to 
these  shifts.  Fortunately,  noise  in  wireless  environments  can 
be  modeled  closely  as  additive  white-Gaussian  [40].  As  the 
following  lemma  shows,  this  results  in  peak  shifts  that  are 
also  Gaussian,  meaning  that  their  variance  is  easy  to  model 
and  account  for.  More  formally,  the  lemma  states  that  shifts 


Definition  3  (Pi)  Let  pp.^^  and  9p^^  denote  the  closest  max¬ 
imum  in  Fii{p,  9)  to  (pii,  9ii).  We  denote  and  Og  as  the 
variances  in  angles  cr^  and  plus  any  variance  due  to  mea¬ 
surement  error  of  reported  locations  that  can  be  calibrated 
from  device  hardware.  We  define  Pi  for  client  i  as: 

A  =  n  -  (t>Fu ;  0,  dl)  X  g{9ii  -  9f^^  ;  0,  d^)  (3) 

I 

Where  g(x;  g,  cr^)  =  min(l,  s/2Ttf(x]  /i,  cr^))  is  a  normal¬ 
ized  Gaussian  PDF  f{x;p,,a'^)  with  mean  p,  and  variance 


'*  For  clarity,  we  drop  dependence  on  i,  I  for  SNR,  ag  and 
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In  practice,  reported  client  locations  are  subject  to  mea¬ 
surement  errors  due  to  position  sensor  inaccuracies.  Our  def¬ 
inition  of  Pi  above  accounts  for  this  by  using  the  effective 
variances  and  dg  that  are  the  sum  of  the  variance  in  an¬ 
gles,  cr^  and  (jg,  in  addition  to  the  variances  due  to  measure¬ 
ment  error. 

Using  Lemma  1  we  define  the  similarity  metric  7^  as  the 
likelihood  that  two  client  fingerprints  share  identical  peaks: 

Definition  4  (7^)  Let  {<Pii,Oii)  and  {(pjijOji)  denote  the 
set  of  local  maxima,  ordered  by  non-decreasing  angle  val¬ 
ues,  in  fingerprints  Fu  and  Fji.  We  define  jij  for  client  i 
relative  to  client  j  as: 

l[9{P^-pj;0,2al)l[g{9i-ef,0,2a^,)  (4) 

9ie0ii,eje0ji 

Where  g{-;  fx,  is  from  Definition.  3,  and  the  factor  of  2 
in  the  variance  accounts  for  computing  the  difference  of  two 
normally  distributed  values.  □ 


independent.  (A. 3)  The  clients  transmit  enough  packets  to 
emulate  a  large  antenna  array  (in  practice,  25  —  30  packets 
per  second).^ 

Theorem  1  Consider  a  network  with  m  servers  and  c  clients. 
A  new  client  i  either:  1 )  spoofs  s  clients  reporting  a  ran¬ 
dom  location,  potentially  scaling  power,  or;  2)  is  a  uniformly 
randomly  located  legitimate  client.  Let  aspoof,  otiegit  be  the 
confidence  metrics  in  either  case.  Assume  that  the  client  ob¬ 
tains  its  signals  from  servers  along  k  paths  (where  the  num¬ 
ber  of  paths  k  is  defined  by  Eqn.  §7  in  Sec.  %4).  Under  A.  1- 
A.3,  the  expected  aspoof  i  aiegit  are  bounded  by: 

^[aspoof] 

E[aleg^t]  >  1  -  cmdga^  [^j2ae(J^KY''^  (5) 

Where  k  =  ((v^  -|-  ,  ag,  a^,  ag,  are  the  vari¬ 

ances  defined  in  Lemma  1  that  depend  on  signal-to-noise 
ratio  (the  latter  include  measurement  error  in  reported  lo¬ 
cations). 


^/dgd^K  [2mkagarj>Y 


Defining  the  Confidence  Metric:  We  notice  that  Eqn.  2,  3 
and  4  fully  define  ai  for  each  client  i.  In  summary,  the  con¬ 
fidence  metric  is  computed  in  three  steps:  (1)  Obtain  the 
client  fingerprint  using  SAR  on  wireless  signal  snapshots. 
(2)  Measure  the  variance  of  peak  locations  of  these  client 
fingerprints  using  their  Signal-to-Noise  Ratio.  (3)  Compute 
the  similarity  and  honesty  metrics  using  their  above  defi¬ 
nitions  to  obtain  the  confidence  metric.  Algorithm  1  below 
summarizes  the  steps  to  construct  for  a  given  client  i. 


Algorithm  1  Algorithm  to  Compute  Client  Confidence  Metric 

>  Input:  Ratio  of  Channels  hn  and  SNR 

>  Output:  Confidence  Metric,  Oi  for  client  i 

>  Step  (1):  Measure  fingerprints  for  client  i 

for  Z  =  1, . . . ,  m  do 

for  f  G  {0°, . . . ,  360°};  6»  G  {0°, . . . ,  360°}  do 

Find  9)  using  a  single  spin  to  get  hn  (Eqn.  1) 

end  for 
end  for 

>  Step  (2):  Measure  variances  in  peak  locations  using  SNR 

=  Apply  Lemma  1  SNR 

>  Step  (3):  Find  honesty,  similarity  and  confidence  metric 
pi  =  Apply  Defn.  3  using  ag,  a^,  peaks  of  Fu 

for  j  =  c}\{i}  do 

7ij  =  Apply  Defn.  4  using  aj,  a^,  peaks  of  Fu,  Fji 

end  for 

oii  =  - Sij) 


We  now  present  our  main  result  that  solves  Problem  1 
in  the  problem  statement  (Sec.  §3).  The  following  theorem 
says  the  expected  afs  of  legitimate  nodes  approach  1,  while 
those  of  spoofers  approach  0,  allowing  us  to  discern  them 
under  well-defined  assumptions:  (A.l)  The  signal  paths  are 
independent.  (A.2)  Errors  in  azimuth  and  polar  angles  are 


Proof  Sketch:  To  give  some  intuition  on  why  the  theorem 
holds,  we  provide  a  brief  proof  sketch  (proof  in  supplemen¬ 
tary  text  [14]).  To  begin  with,  notice  from  their  definitions 
that  both  the  honesty  metric  Pi  and  confidence  metric  yij 
inspect  peaks  in  fingerprints  Fu  (Lemma  1).  Eor  the  honesty 
metric  Pi  of  a  legitimate  node,  this  peak  location  should  be 
normally  distributed  (subject  to  noise,  measurement  error) 
around  the  reported  location.  For  a  spoofer  that  reports  a  ran¬ 
dom  location,  the  peak  location  is  uniformly  distributed.  A 
similar  (but  inverse)  argument  holds  for  yij .  Hence,  we  sim¬ 
ply  need  to  show  is  that  the  definitions  of  Pi  and  7^  which 
are  both  products  of  the  form  g{X)  can  be  bounded  in  ex¬ 
pectation  if  X  is  uniform  or  normally  distributed. 

To  this  end,  consider  two  random  variables  u  and  v  which 
are  respectively  uniform  and  normally  distributed  between  0 
and  27r  with  mean  0  and  variance  cr^.LetS'  =  •\/2cr(ln 
the  value  at  which  the  minimization  in  g{x)  is  triggered. 
E[g(v)]  and  E\g{u)]  are  as  follows: 

fS 

E[g{v)]  =  /  f(x;0,a^)dx-\-V^ 

J-s 

>  J  f{x;0,a'^)dx  =  erf  >1- a  (6) 


[/(a;;0;cr  )]  dx 


Where  erf(-)  is  the  well  known  Error  function  and  using 
1— erf(a;)  <  e~^  .  Similarly,  we  can  evaluate  E[u{n)]  as: 

E[g{u)]=  [  ■;^dx  +  2V^  f  ^f(x;0-,a‘^)dx 
J-S  J-2Tr  2tT 


S 

<  - 
TT 


'J2ff  \ 


P- 


erf(- 


(7) 


^  This  is  a  mild  requirement  since  25—30  packets  can  be  transmitted 
in  tens  of  milliseconds,  even  at  the  lowest  data  rate  of  6Mb/s  of  802. 1  In 
Wi-Fi. 
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By  assumptions  A.1-A.3,  we  can  apply  these  bounds  to 
write  the  expectation  of  the  honesty  metric  j3i  as  a  product 
of  those  of  the  independent  variables: 


ElPspoof]  =  WE[g{u]0,d-l)\E[g{u]Q,a^g)]  < 
I 


\J  (7  QG 


E[Pleg^t]  =  E[g{v,  0,  al)]E[g{u]  0,  a^)]  >  1  -  mao&^ 
i 


legitimate  client 


legitimate  client 


Cluster  of 
spoofed  clients 


legitimate  client 


Applying  a  similar  argument,  the  similarity  metric  7  is: 


E[-ispoof]  =  n  0’  2CT^)/(t/;  0,  2al)]  >  1  -  2mkaga^  weights  derived 

p^l 
k 

E^iiegit]  =  f\E[g{u]0,2al)g{u]Q,2(jl)]  < 


p=i 


Combining  the  above  equations,  we  prove  Eqn.  5.  □ 

A  natural  question  one  might  ask  is  if  the  above  lemma 
holds  in  general  environments,  where  its  assumptions  A.l- 
A.3  may  be  too  stringent.  Our  extensive  experimental  results 
in  Sec.  9  show  that  our  bounds  on  a  approximately  pre¬ 
dict  performance  in  general  environments.  Further,  Sec.  §9. 1 
shows  that  results  from  an  anechoic  chamber,  which  emulate 
free-space  conditions  where  the  lemma’s  assumptions  can 
be  directly  enforced,  tightly  follow  the  bounds  of  Lemma  1 . 

In  sum,  one  can  adopt  the  above  lemma  to  distinguish 
adversarial  nodes  from  legitimate  nodes,  purely  based  on  a. 
However,  an  interesting  alternative  is  to  incorporate  a  di¬ 
rectly  into  multi-robot  controllers  to  give  provable  service 
guarantees  to  legitimate  nodes.  The  next  section  show  how 
ai  readily  integrates  with  robotic  coverage  controllers,  in 
particular. 

6  Threat-Resistant  Distributed  Control 

This  section  describes  how  our  spoof  detection  method  from 
Sec.  §5  integrates  with  well-known  coverage  controllers  from  [5, 
36,  37].  The  area  coverage  problem  deals  with  positioning 
server  robots  to  minimize  their  Euclidean  distance  to  cer¬ 
tain  areas  of  interest  in  the  environment.  These  areas  are 
determined  by  an  importance  function  p(q)  that  is  defined 
over  the  environment  Q  C  of  size  L{Q).  For  our  cov¬ 
erage  problem,  the  peaks  of  the  importance  are  determined 
by  client  positions  P,  e.g.,  p{q,  P)  =  pi{q)  Pc{q) 

where  Pi{q)  quantihes  the  influence  of  client  i’s  position  on 
the  importance  function.  Using  [5,  36,  37],  server  robot  po¬ 
sitions  optimizing  coverage  over  p{q,  P)  will  minimize  their 
distance  to  clients. 

To  account  for  spoofed  clients,  we  modify  the  impor¬ 
tance  function  p{q,P)  using  the  ai  for  each  client  i  G  [c] 
that  is  computed  by  Algorithm  1.  E.g.,  we  can  multiply  each 
client-term  in  p{q,  P)  by  its  corresponding  confidence  weight: 
p{q,P)a  =  0:1  Pi  (g) -f. .. -I- acPc((z)- Given  the  properties  of 


Fig.  6:  Coverage  guarantee:  An  e  ball  around  the  ground-tnath  cen¬ 
troid,  ,  is  shown  in  green.  Theorem  2  finds  e('P)  so  that  server 

positions  remain  in  this  ball  in  the  presence  of  spoofed  clients. 

in  Theorem  1,  i.e.,  cti  is  bounded  near 
zero  for  a  spoofed  client  and  near  one  for  a  legitimate  client, 
fcthe  effect  of  multiplication  by  the  ct’s  is  that  terms  corre¬ 
sponding  to  spoofed  clients  will  be  bounded  to  a  small  value 
(see  Fig.  6);  providing  resilience  to  the  spoofing  attack. 

For  simplicity,  we  assume  the  importance  function  p{q) 
is  static  (from  [5])  and  a’s  from  Algorithm  1  are  computed 
once,  at  the  beginning  of  the  coverage  algorithm.  We  note 
that  our  approach  readily  extends  to  the  adaptive  case  in  [36, 

37]  when  the  importance  function  (and  location  of  clients) 
change,  by  having  the  service  robots  exchange  their  learned 
importance  function.  This  in  turn  can  trigger  a  re-calculation 
of  a  values. 

We  now  show  that  computed  server  positions  are  im¬ 
pacted  by  spoofers  to  within  a  closed-form  bound,  that  de¬ 
pends  on  problem  parameters  like  signal-to-noise  ratio.  The¬ 
orem  2  below  solves  Problem  2  of  our  problem  statement  (Sec.  §3), 

Theorem  2  Let  X  be  a  set  of  server  robot  positions  and 
P  =  S  U  S  be  a  set  of  client  positions  where  S  is  the  set  of 
spoofed  client  positions,  and  S  is  the  set  of  legitimate  clients. 

The  identities  of  the  clients  being  spoofed  is  assumed  un¬ 
known.  Let  {ai, ...  ,ac\  be  a  set  of  confidence  weights  sat¬ 
isfying  Theorem  1  and  assume  a  known  importance  function 
p{q,  P)  =  pi{q)  Pciq)  that  is  defined  over  the  envi¬ 

ronment  Q  C  R^  of  size  D{Q).  Define  Cy  =  {x\, . . . ,  a;^} 
to  be  the  set  of  server  positions  optimized  over  p{q,  S),  i.e., 
where  there  are  zero  spoofed  clients  and  to  be  the  set 
of  server  positions  optimized  over  p{q,P)a  =  aipi{q)  -f 
. . .  -f  otcPcisi)  where  there  is  at  least  one  spoofed  client,  i.e., 

I'S'I  ^  1-  ^  {cHi  ■  ■  ■  ^  C(c}  satisfy  Theorem  1,  we  have  that 
'ix  G  Cy,„^  there  exists  a  unique  y  G  Cy,  where  in  the  ex¬ 
pected  case  dist(x,  y)  <  e{m,  s,  a^,  ag,  k) 

e  =  max  |  [1/ aga^K]^[2mk(7ga^]‘‘ ,  cm&ga^[^2ag(T^KY^'^  1-0(2) 

and  m,  s,a^,ag,  K  are  problem  parameters  as  in  Theo¬ 
rem  1. 

Proof:  We  make  an  important  observation  that  E\aj\  < 
a  if  client  z  is  a  spoofed  node,  and  E[ai\  >  b  otherwise; 
hence: 

p{q,  P)a  =  a{pi{q)  -f  . . .  -f  Ps{q))  +  b{ps+i{q)  -f  . . .  -f  Pc{q)) 


is  the  maximal  effect  that  the  presence  of  spoofed  clients 
can  have  on  the  importance  function.  Intuitively,  all  spoofed 
clients  have  a  weight  of  at  maximum  a  and  all  legitimate 
clients  have  a  reduced  weight  of  at  minimum  b.  Using  this 
observation  we  can  bound  the  influence  of  the  spoofed  clients 
on  computed  server  control  inputs  (see  Fig.  6).  Specifically, 
recall  from  [5]  that  the  position  control  for  each  server  is: 
ui  =  -2Mv{Cv  -  Cl),  where  My  =  Jy  p{q)dq,  Cy  = 
13“  ly  dp{ci)dq  and  V  is  the  Voronoi  partition  for  server  I 
defined  as  all  points  q  G  Q  with  dist((j, x;)  <  dist(q,Xg) 
where  g  ^  L  Using  the  importance  function  from  above  we 
can  write  Cy^  =  j^iaCy^  +  bCy^)  where  Cy^  is  the 
component  of  the  centroid  computed  over  spoofed  nodes 
and  Cy^  is  the  component  of  the  centroid  computed  over 
legitimate  nodes  and  My^  is  defined  shortly.  We  rewrite 
Cyg  as  a  perturbation  of  the  centroid  over  legitimate  nodes 
as  Cvg  =  Cy^  +  v||e||  where  v  is  an  arbitrary  unit  vec¬ 
tor  and  the  magnitude  of  e  can  be  as  large  as  the  length 
of  the  operative  environment, ||e||  <  D{Q).  Let  the  total 
mass  be  T  =  My^  -f  My^.  We  can  write  a  similar  ex¬ 
pression  for  the  mass  My^  using  the  bounds  a  and  b  as 
My^  =  bT  +  {a  —  b)My^.  Substituting  these  expressions 
into  Cy^  and  simplifying  gives  Cy^  =  ■  Com¬ 

bining  this  expression  with  the  server  control  input: 

ui=k{[{a  +  b)Cy^-pi]+b\\e\\y)  (8) 


shows  that  the  total  path  length  traversed  in  the  drone  deliv¬ 
ery  problem  is  impacted  by  the  presence  of  spoofed  nodes 
to  within  a  closed-form  bound,  that  depends  on  problem  pa¬ 
rameters  like  signal-to-noise  ratio. 

Theorem  3  Let  x  be  a  the  server  robot  position  and  P  = 

SUS  be  a  set  of  client  positions  where  S  is  the  set  of  spoofed 
client  positions,  and  S  is  the  set  of  legitimate  clients.  The 
identities  of  the  clients  being  spoofed  is  assumed  unknown. 

Let  {«!, . . . ,  ttc}  be  a  set  of  confidence  weights  satisfying 
Theorem  1  and  environment  size  D(Q).  There  exists  a  de¬ 
cision  threshold  T  >  0  such  that  the  indicator  function  de¬ 
fined  as: 

1  ai  >  T 
0  otherwise 

for  each  client  i  G  {1, . . . ,  c},  can  be  derived  to  determine 
whether  client  i  will  be  serviced  by  the  delivery  drone,  i.e., 

Icti  =  1-  Using  this  indicator  function  we  define  the  total 
path  length  covered  by  the  server  tobe  L  =  Iaidist{pi,x). 

Let  Liegit  =  disfipi,  x)  be  the  total  path  length  cov¬ 

ered  by  the  server  in  the  optimal  case  of  no  spoofed  nodes. 

Then  the  difference  in  expectations  is  bounded  such  that: 


Where  k  =  -2{bT  -f  aMy^).  If  (a  -f  6)  =  1,  this  control  \E\L]  -  E\Liegit]\  <  max{\S\, \S\)bD{Q)  (9) 

input  drives  the  server  robot  I  to  a  neighborhood  of  size  e  =  _  ti  ei  i  ch  ri  nt 

6||e||  <  bD{Q)  centered  around  the  centroid  Cl  defined  ’ 

over  the  legitimate  clients.  So  if: 

where  e  =  bD{Q),  b  =  max  \^[y/a-gd^K]'^[2mkaga^Y  , 
6  =  max  <  \\/dr)^K]"^\2mkaQad,Y ,crriaa(TA\/2(T()^KY^^  \  and  m.  s.  era.  k  are  oroblem 


r  _  _  'I  -  ''  “  - - ILV  L - j 

b  =  va&y:  dgd (j,K]'^\2mka0a ,  cma 0cr (f,[^/2(jQ(Tff,KY^  |  cmdQa^[yj2aQcr^KY^^^,  and  m,  s,a^,  ae,  n  are  problem 

parameters  as  in  Theorem  1. 

from  Theorem  1  Equation  (5),  then: 

e  =  max  ^(2)  Proof:  For  each  client  i  G  1, ...,  c,  let  us  denote: 


then  we  have  (a  -f  &)  =  1  as  desired,  proving  the  lemma.  □ 


7  Threat-Resistant  Drone  Delivery 


1  ai  >  T 
0  otherwise 


The  previous  section  describes  an  application  of  the  a  from 
Section  5  as  continuous  weights  to  bound  the  influence  of 
adversarial  clients.  While  this  approach  is  useful  for  prob¬ 
lems  of  a  continuous  nature  like  coverage,  other  problems 
in  control  require  a  more  discrete  approach.  For  example, 
in  delivery  problems  a  decision  must  be  made  whether  to 
visit  a  client  site  or  not  since  traversing  a  path  some  frac¬ 
tion  of  its  length  is  equivalent  to  not  visiting  the  client  site  at 
all.  In  other  words,  it  is  an  inherently  binary  decision  prob¬ 
lem.  This  section  shows  how  the  a  weights  from  Section  5 
can  be  used  as  a  classifier  to  select  a  subset  of  clients  to 
be  serviced,  as  in  a  drone  delivery  context.  The  drone  de¬ 
livery  problem  is  described  in  Problem  3.  The  result  below 


Where  T  is  a  constant  chosen  so  that: 

E[ai]  =  f  P{ai  >  x)dx  (11) 

Jo 

=  P{ai  >  T)  (using  Mean  Value  Theorem)  (12) 

=  (13) 

The  last  equation  holds  from  the  fact  that  /„ .  is  an  indicator 
function  for  the  event  ai  >  T.  Note  that  here  we  show  the 
existence  of  such  a  T,  but  we  do  not  find  an  analytical  value 
for  T.  In  Section  9  however,  we  show  the  empirical  perfor¬ 
mance  of  the  median  threshold  T  =  0.5.  We  can  then  write 
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the  expected  total  path  length  of  the  delivery  drone  as; 

e[l]  =  e[J2  Iaidist{pi,x)]  (14) 

PiGP 

=  X!  (15) 

Pi€P 

=  ^  E[ai]dist(jJi,  x)  (using  Eqn.  13)  (16) 

Pi€P 

=  ^  E[ai]dist{p„  x)  +  ^  E[ai]dist{pi,x)  (17) 

PiGS  Pi^S 

Recall  from  Theorem  1  and  2  that  we  can  bound  E[ai]  as: 

E[ai^spoof]  <  £lD{Q)  Ela^jegit]  >  1  -  <^/D{Q) 

Where 

e  =  max  |  [-y/o-u k] ™  [2mfccre cr^] ® ,  cmag [•^2cre tr,^ k] |  D{Q) 
Applying  the  above  bounds  to  Eqn.  17,  we  have: 

E[L]  <  dist(pi,a;)  +  — ^  Y  dist(pi,a;) 

p.GS  ''^'^PiGS 

^  E[Liegit]  +  l^je 

E[L]  >Y(^-  Wm)  dist(Pz,a;)  +  ^  0 

Pi&s  ^  ^  Pies 

>  E[Li,g,t]  -  |5|e 

Combining  the  above  two  equations,  we  conclude  that: 

|£;[L]-E;[Lze5*t]|  <max(|5U^|)e 
which  proves  the  theorem.  □ 

8  Using  a  in  Multi-Robot  Control  Objectives 

The  above  sections  demonstrate  two  modalities  of  integrat¬ 
ing  confidence  metric  a  to  secure  multi-robot  controllers: 
either  as  a  continuous  per-agent  weight,  or  as  a  means  to 
classify  agents  as  legitimate  or  spoofed.  Theorem  2  and  The¬ 
orem  3  show  theoretical  bounds  on  the  influence  of  adver¬ 
saries  to  controllers  in  the  coverage  and  unmanned  delivery 
contexts.  Further,  empirical  results  in  Sec.  §9  demonstrate 
that  a  performs  well  when  applied  both  in  continuous  and 
discrete  settings.  However,  it  is  natural  to  ask  which  of  these 
two  modes  ought  be  applied  to  secure  any  given  multi-robot 
problem  of  interest,  beyond  coverage  and  unmanned  deliv¬ 
ery.  In  this  regard,  we  make  the  following  observations: 
Applying  a  as  continuous  weights:  For  many  control  ob¬ 
jectives,  the  contribution  of  each  agent  to  the  total  optimiza¬ 
tion  function  is  naturally  expressed  as  a  continuous  quan¬ 
tity.  In  these  contexts,  a  natural  modality  to  integrate  a  is 
to  incorporate  it  as  a  per-agent  weight  that  directly  reduces 


Fig.  7:  Hardware 
evaluation:  De¬ 

picts  an  example 
robot  network 
within  our  experi¬ 
mental  setup  with 
a  quadrotor  server 
and  several  mobile 
clients 

the  contributions  of  spoofed  clients  to  the  optimization  func¬ 
tion.  Doing  so  has  two  key  advantages:  (1)  It  enables  prov¬ 
able  bounds  in  expectation  on  the  influence  of  spoofers  to 
the  multi-robot  objective  (akin  to  Theorem  2).  (2)  Per-client 
weighting  limits  the  extent  to  which  spoofed  clients  can  in¬ 
fluence  the  controller  in  the  worst-case. 

Applying  a  to  decision-based  problems:  Unfortunately, 
many  problems  do  not  allow  for  a  continuous  weighting 
since  their  objectives  are  inherently  discrete  decisions  on 
each  agent  in  the  network  (e.g.  unmanned  delivery).  In  these 
cases,  a  can  still  be  used  to  derive  an  indicator  function  that 
classifies  agents  as  legitimate  or  spoofed.  This  modality  still 
allows  for  obtaining  bounds  in  expectation  on  the  influence 
of  spoofers  (akin  to  Theorem  3).  However,  by  the  sheer  na¬ 
ture  of  these  problems,  false  positives  or  negatives  have  a 
greater  impact  on  the  objective  function  in  the  worst-case. 
For  example,  a  small  shift  in  a  when  it  is  close  to  the  thresh¬ 
old  may  cause  the  indicator  function  to  easily  mislabel  a 
spoofed  client  as  legitimate  or  vice-versa. 

9  Experimental  Results 

This  section  describes  our  results  from  an  experimental  eval¬ 
uation  of  our  theoretical  claims.  Our  aerial  servers  were  im¬ 
plemented  on  two  AscTec  Atomboard  computing  platforms 
equipped  with  Intel  5300  Wi-Fi  cards  with  two  antennas 
each,  mounted  on  two  AscTec  Hummingbird  quadrotors.  Our 
clients  were  ten  iRobot  Create  robots,  each  equipped  with 
Asus  EEPC  netbooks  and  single-antenna  Wi-Fi  cards.  An 
adversarial  client  forged  multiple  identities  by  spawning  mul¬ 
tiple  packets  containing  different  identities  (up  to  75%  of  the 
total  number  of  legitimate  clients  in  the  system),  and  could 
use  a  different  transmit  power  for  each  identity.  The  ad¬ 
versary  advertised  identities  by  modifying  the  Wi-Fi  MAC 
field,  a  common  technique  for  faking  multiple  identities  [38] . 
Evaluation:  We  evaluate  our  system  in  two  environments: 

1 )  An  indoor  multipath-rich  environment  with  walls  and  ob¬ 
stacles  equipped  with  a  Vicon  motion  capture  system  to  aid 
quadrotor  navigation;  2)  An  anechoic  chamber  to  emulate 
a  free-space  setting  that  is  particularly  challenging  to  our 
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(a)  a  Histogram  (Free-space)  (b)  a  Histogram  (Multipath) 
Fig.  8:  Experimental  Evaluation  of  o:  (a)  In  an  anechoic  chamber 


approximating  our  assumptions  A.1-A.3  (§1),  a  largely  agrees  with  the¬ 
ory.  (b)  In  a  typical  multipath  environment,  experimental  results  closely 
follow  theoretical  predictions.  Data  shows  that  a  =  0.5  is  a  good  thresh¬ 


old  value. 


Anechoic  Chamber  Indoor  Environment 


Fig.  9:  Co-Aligned  Clients:  We  vary  the  angle  (f>  between  a  legitimate 
and  malicious  client,  relative  to  a  single  server,  and  plot  a  in  (a)  an  ane¬ 
choic  chamber  and  (b)  an  indoor  environment.  The  minimum  ip  needed 
to  distinguish  the  clients  is  only:  (a)  3°  in  freespace,  (b)  0°  in  multipath 
settings. 


(a)  No  security  (b)  Oracle  (c)  Our  System 


Iteration  # 

(d)  Cost 


Fig.  10;  Experimental  Results  for  Sybil  Attack  in  Multi-Agent  Coverage:  Depicts  the  total  distance  of  converged  quadrotor  server  positions 
(white  x)  to  two  legitimate  clients  (  •  )  and  six  spoofed  clients  (  •  ).  We  consider:  (a)  an  insecure  system  where  each  spoofed  client  creates  a  false 
peak  in  the  importance  function,  (b)  a  ground  truth  importance  function,  and  (c)  our  system  where  applying  a  weights  from  Algorithm  1  recovers 
the  true  importance  function,  (d)  Depicts  a  ground-truth  cost  computed  with  respect  to  legitimate  clients  as  Sybil  nodes  dynamically  enter  the 
network.  Our  system  (red  dotted  line)  performs  near-optimal  even  when  spoofed  clients  comprise  more  than  twice  the  network. 


system.  We  estimated  the  average  theoretical  expected  stan¬ 
dard  deviation  to  he  ag ,  tr^  of  0 . 7°  (Lemma  1 ) .  After  includ¬ 
ing  the  standard  deviation  in  reported  location,  based  on  the 
known  errors  of  our  localization  framework,  this  increased 
the  average  ae,d-^  by  2° (variances  in  each  experiment  de¬ 
pend  on  measured  SNR)  We  compare  our  system  against  a 
baseline  that  uses  a  Received  Signal  Strength  (RSSI)  com¬ 
parison  (akin  to  [34]). 

Roadmap:  We  conduct  four  classes  of  experiments:  (1)  Mi¬ 
crobenchmarks  to  validate  our  client  confidence  metric,  both 
in  free-space  and  multipath  indoor  environments  (Sec.  §9.1). 
(2)  Experiments  applying  this  confidence  metric  to  quar¬ 
antine  adversaries  (Sec.  §9.2).  Application  of  our  system 
to  secure  against  Sybil  attacks:  (3)  the  coverage  problem 
(Sec.  §9.3);  (4)  the  drone  delivery  problem  (Sec.  §9.4). 


9.1  Microbenchmarks  on  the  Confidence  Metric 

This  experiment  studies  the  correctness  of  our  system’s  con¬ 
fidence  metric  a.  Recall  from  theory  in  §5  that  a’s  measured 
by  a  server  robot  distinguish  between  unique  clients  based 
on  their  diverse  physical  directions  and  the  presence  of  mul¬ 


tipath  reflections.  Thus,  a  free-space  environment  (i.e.,  with 
no  multipath)  is  particularly  challenging  to  our  system. 

Method:  To  approximate  free-space,  we  measured  a  values 
in  a  radio-frequency  anechoic  chamber  (Fig.  11(a))  which 
attenuates  reflected  paths  by  about  60  dB,  for  a  legitimate 
and  malicious  client  from  one  server  robot  12  m  away.  We 
also  introduced  a  metallic  reflector  in  this  controlled  setting, 
to  measure  the  contribution  of  multipath  to  a.  Next,  in  a 
10  m  X  8  m  indoor  room  (a  typical  multipath  case),  we  mea¬ 
sured  a’s  from  one  server  for  up  to  ten  legitimate  clients  and 
ten  spoofed  clients. 

Results:  In  Fig.  8,  the  values  of  a  in  the  anechoic  chamber 
tightly  follow  our  theoretical  bounds  in  Theorem  1  (Fig.  9(c)) 
As  expected,  our  results  in  indoor  multipath  environments 
exhibit  a  larger  variance  but  follow  the  trend  suggested  by 
theory.  Further,  we  stress  our  confidence  metric  by  isolating 
the  case  of  colinearity  in  both  environments.  We  consider 
a  spoofing  adversary  initially  co-aligned  with  a  legitimate 
client  as  the  angle  of  separation,  increases  from  0°  to  20° 
relative  to  the  server  robot  (Fig.  11(b)),  and  measure  a  in 
Fig.  9.  In  the  anechoic  chamber  at  close  to  0°,  the  finger¬ 
prints  of  the  legitimate  and  adversarial  nodes  are  virtually 
identical:  each  has  precisely  one  peak  at  0°.  Consequently, 
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(a)  Chamber 


(b)0 


Fig.  1 1 :  Microbenchmarks  on  a  :  (a)  An  anechoic  chamber  simu¬ 
lating  freespace.  (b)  We  measure  a  while  varying  the  angle  between  a 
legitimate  and  malicious  client,  relative  to  the  robotic 

legitimate 
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:z,  =  0.9769 
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=  0.04624 


Fig.  12:  Anechoic  chamber  multipath:  We  measure  a  for  a  spoof¬ 
ing  client  coaligned  with  a  legitimate  client  (0  =  0°)  in  the  anechoic 
chamber  before  and  after  adding  a  reflector  to  introduce  multipath.  The 
increased  separation  of  a  and  lower  standard  deviation  (shown  as  bars) 
is  depicted  on  the  right. 

a  for  the  legitimate  node  is  much  below  1,  indicating  that 
is  believed  to  be  adversarial  (i.e.,  the  term  (1  —  7)  in  a 
approaches  zero  in  Eqn.  2).  However,  a  for  the  legitimate 
client  quickly  approaches  1,  even  if  </>  =  3°  in  the  anechoic 
chamber.  In  fact,  a  is  virtually  identical  to  1  beyond  10°, 
indicating  that  a  single  server  robot  can  distinguish  closely 
aligned  legitimate  and  adversarial  clients  even  in  free-space. 
To  evaluate  the  effects  of  multipath  with  coaligned  clients 
in  a  controlled  manner,  we  positioned  a  small  metallic  re¬ 
flector  several  meters  away  from  the  two  clients  and  server 
in  the  anechoic  chamber.  Fig.  12  demonstrates  that  the  the 
additional  reflected  signal  paths  strongly  disambiguate  the  a 
values  for  coaligned  clients.  Speciflcally,  the  term  (1  —  7)  in 
Eqn.  2  approaches  zero  only  for  the  adversary.  We  also  eval¬ 
uate  coaligned  clients  in  a  typical  indoor  setting  (Eig.  9b). 
As  expected,  multipath  reflections  from  walls  and  obstacles 
clearly  distinguish  spoofing  clients  from  legitimate  clients 
even  at  (/)  =  0° . 


9.2  Performance  of  Sybil  Attack  Detection 

In  this  experiment,  we  measure  our  system’s  classification 
performance  on  legitimate  and  spoofed  clients,  in  the  pres¬ 
ence  of  static,  mobile,  and  power-scaling  adversaries. 
Method:  This  experiment  was  performed  in  the  multipath- 
rich  indoor  testbed  with  walls  and  obstacles.  Each  run  con¬ 
sisted  of  one  quadrotor  server  and  randomly  positioned  clients 
—  either  ten  legitimate  clients,  or  nine  legitimate  clients 
and  an  adversary  reporting  two  to  nine  additional  spoofed 


OurS; 

TPR 

astern 

FPR 

RS 

TPR 

SI 

FPR 

Static 

96.3 

3.0 

81.5 

9.1 

Mobile 

96.3 

6.1 

85.2 

6.1 

A  mW 

100.0 

3.0 

74.1 

27.3 

Table  1:  Summarized  classification  performance:  True 
positive  rates  (TPR)  and  false  positive  rates  (EPR)  for  clas¬ 
sifying  clients  as  spoofed,  when  a  <  0.5  in  our  system,  and 
with  a  2  dB  minimum  dissimilarity  for  RSSI. 


clients.  Each  Sybil  attack  was  performed  under  three  modal¬ 
ities:  (1)  a  stationary  attacker  with  a  fixed  transmission  power, 
(2)  a  mobile  attacker  (random- walk  and  linear  movements), 
and  (3)  an  attacker  scaling  the  per-packet  power  by  a  dif¬ 
ferent  amount  for  each  spoofed  client,  from  1  to  31  mW. 
We  compare  our  system  to  a  baseline  RSSI  classifier  using  a 
thresholded  minimum  dissimilarity,  a  technique  previously 
applied  in  static  networks  [34, 42].  Measured  signal-to-noise 
ratios  for  clients  ranged  from  5  dB  to  25  dB.  In  our  sys¬ 
tem,  quadrotor  servers  performed  classification  by  applying 
a  threshold  using  the  measured  a  values  for  each  client. 
Results:  In  Eig.  13,  we  measure  true-positives  against  false- 
positives  collected  over  multiple  network  topologies,  result¬ 
ing  in  the  well-known  Receiver  Operating  Characteristics 
(ROC)  curves  [8].  Our  theoretical  results  in  Sec  7  indicate 
that  a  measurements  are  suitable  for  use  in  a  threshold¬ 
ing  classification  context.  Empirically,  Eig.  8  shows  that  a 
threshold  of  a  <  0.5  performs  well  to  classify  clients  as 
spoofed.  Table  1  summarizes  our  performance  results  when 
using  this  threshold  for  each  of  the  three  attack  modalities, 
compared  to  RSSTbased  classification  where  a  2  dB  thresh¬ 
olded  minimum  dissimilarity  performed  best. 

In  particular,  our  classifier  is  robust  to  power-scaling  Sybil 
attacks  (where  RSSI  performs  poorly)  since  we  use  the  ra¬ 
tio  of  wireless  channels  in  computing  a  (Sec.  §4).  Our  client 
classifier  exhibits  consistent  performance  in  both  power-scaling 
and  mobile  scenarios  with  a  TPR  Ri  96%  and  EPR  r;  4%. 


9.3  Application  to  Multi-Agent  Coverage 

We  implement  the  multi-agent  coverage  problem  from  [5], 
where  a  team  of  aerial  servers  position  themselves  to  min¬ 
imize  their  distance  to  client  robots  at  reported  positions 
Pi,i  G  [c].  We  use  an  importance  function /9(g,  P)  =  Pi{q)  + 
...  -I-  Pc{q)  defined  in  Sec.  §6  where  each  client  term  is  a 
Gaussian-shaped  function  pi{q)  =  exp(— —  Pif" {q  — 
Pi))  (Pig.  10b).  An  a-modifled  importance  function  is  im¬ 
plemented  as  p[q,  P)a  =  aipi{q)  -f  . . .  -f  a^Pciq)  where 
the  a  terms  are  computed  using  Algorithm  1  (Pig.  10c). 
Method.  This  experiment  was  performed  in  the  multipath- 
rich  indoor  testbed.  Por  each  experiment  we  randomly  place 
three  clients  in  an  8  m  x  10  m  room  with  two  AscTec  quadro- 
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Fig.  13:  Receiver  Operating  Characteristics:  We  measure  ROC  curves  for  adversaries  which  (a)  are  static;  (h)  scale  power 
differently  while  spoofing  different  clients;  and  (c)  are  mobile.  We  compare  the  performance  of  our  system  against  a  baseline 
using  received  signal  power. 


tor  servers.  Fig.  10(a)-(c)  shows  one  client-server  topology 
where  an  adversary  spoofs  six  Sybil  clients.  Upon  conver¬ 
gence,  we  measure  the  distance  of  each  server  from  an  opti¬ 
mal  location  in  3  scenarios:  7j  a  naive  system  with  no  secu¬ 
rity,  2)  an  oracle  which  discards  Sybil  clients  a  priori,  and 
3 )  our  system. 

Results:  Fig.  10(a)-(c)  depicts  the  converged  locations  for 
a  candidate  topology  in  the  above  three  scenarios.  We  ob¬ 
serve  that  by  incorporating  a  weights  in  our  controller,  our 
system  approximates  oracle  performance.  Fig.  lOd  demon¬ 
strates  the  ability  of  our  system  to  bound  the  service  cost  to 
near  optimal  even  as  spoofers  enter  the  network  (comprising 
up  to  300%). 

Aggregate  Results:  Across  multiple  topologies  and  12  runs, 
with  no  security  the  maximum  distance  from  each  quadrotor 
to  an  oracle  solution  is  on  average  3.77  m  (stdev:  0.86).  Our 
system  achieves  a  0.02  m  (stdev:  0.02)  average  from  oracle. 


9.4  Application  to  Unmanned  Delivery 

This  experiment  applies  our  Sybil  attack  detection  algorithm 
in  the  context  of  unmanned  delivery.  Specifically,  we  con¬ 
sider  a  delivery  quadrotor  that  iteratively  visits  multiple  client 
locations  from  a  depot  to  deliver  packages,  for  instance  de¬ 
livering  relief  material  in  a  disaster  area.  An  adversarial  power¬ 
scaling  client  spawning  multiple  non-existent  client  loca¬ 
tions  could  readily  disrupt  such  a  system,  drawing  the  de¬ 
livery  robot  away  to  service  regions  where  no  clients  ex¬ 
ist.  We  study  the  effectiveness  of  our  system  in  guarding 
against  such  attacks  and  compare  it  against  the  RSSI  base¬ 
line  (Sec.  §9.2). 

Method:  Multiple  heuristics  exist  for  approximating  opti¬ 
mal  solutions  to  unmanned  delivery  problems  which  min¬ 


imize  distance,  payload,  or  fuel  usage  [22,  33].  We  use  a 
simple  distance  metric  —  the  shortest  quadrotor  flight  path 
which  visits  all  client  locations  iteratively,  returning  to  the 
depot  each  time  —  and  deploy  a  system  that  uses  our  bi¬ 
nary  classifier  based  on  signal  fingerprints  to  filter  malicious 
clients.  We  compare  our  results  both  against  a  baseline  clas¬ 
sifier  based  on  RSSI  as  well  as  a  naive  system  which  vis¬ 
its  every  reported  client  location.  We  repeat  the  experiment 
across  ten  randomly  chosen  topologies.  Fig.  14(a)  depicts  a 
candidate  topology  where  two  legitimate  clients  report  their 
positions  pi  and  p2  to  a  quadrotor  beginning  its  delivery 
route  at  location  x,  while  a  malicious  client  at  position  pa  re¬ 
ports  six  false  client  locations  (inclusive).  The  average  min¬ 
imum  trajectory  length  for  the  quadrotor  to  visit  all  8  clients 
across  our  topologies  is  41.78m. 

Results:  Fig.  14(a)-(c)  depicts  candidate  trajectories  of  the 
quadrotor  in  the  three  scenarios:  (1)  A  naive  system  with¬ 
out  cyber-security;  (2)  The  RSSl-baseline;  (3)  Our  system. 
In  the  RSSI  baseline,  the  quadrotor  compares  the  received 
power  per  packet  for  each  client,  but  misclassifies  a  subset 
of  the  spoofed  clients  as  legitimate  owing  to  noise,  result¬ 
ing  in  the  quadrotor  traveling  a  mean  path  length  of  20.92 
m.  In  contrast,  our  system  benefits  from  the  large  margin  of 
separation  when  classifying  clients  using  their  a  value  (as  in 
Sec.  §9.2),  with  the  quadrotor’s  resultant  mean  path  length 
of  12.05  m  performing  close  to  an  oracle’s  ideal  system’s 
path  length  of  10.91  m  across  toplogies  (see  Fig.  14(d)). 

10  Conclusion 

In  this  paper,  we  develop  a  new  system  to  guard  against 
the  Sybil  attack  in  multi-robot  networks.  We  derive  theoret¬ 
ical  guarantees  on  the  performance  of  our  system,  which  are 
validated  experimentally.  While  this  paper  has  focused  on 
coverage  and  unmanned  delivery,  our  approach  can  be  read- 
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(d)  Aggregate  Results 


Fig.  14:  Path  of  Delivery  Robot:  Depicts  sample  trajectories  of  the  delivery  robot  iteratively  visiting  each  client  and  returning 
to  a  depot  with  two  legitimate  clients  and  an  adversary  spoofing  six  clients  for:  (a)  The  naive  system  with  no  security;  (b) 
The  baseline  that  classifies  nodes  based  on  received  signal  power;  and  (c)  Our  system,  (d)  Depicts  the  mean  and  standard 
deviation  of  total  length  of  the  trajectory  across  the  different  scenarios. 


ily  extended  to  secure  other  multi-robot  controllers  against 
Sybil  attacks,  e.g.,  applications  within  the  Vehicle  Routing 
Problem  [22,  33],  in  search-and-rescue  tasks  [23],  and  to  for¬ 
mation  control  [43].  We  note  for  future  work  that  our  method 
of  detecting  spoofed  clients  is  applicable  to  servers  as  well, 
since  they  also  communicate  wirelessly.  Additionally,  while 
this  paper  addresses  Sybil  attacks  in  which  spoofed  clients 
assume  unique  identities,  our  approach  generalizes  to  de¬ 
fense  against  replay  attacks  [9,  29]  where  adversaries  im¬ 
itate  existing  legitimate  clients  in  the  network.  Since  our 
approach  is  based  on  the  fundamental  physics  of  wireless 
signals,  we  believe  that  it  also  applies  to  other  Wi-Fi  based 
security  issues  in  robot  swarms  such  as  packet  path  valida¬ 
tion  [25]  and  detecting  packet  injection  attacks  to  name  a 
few. 
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